At Positive Hack Days 8, once again, there was a good old contest on hacking ATMs Leave ATM Alone. The participants had two ATMs, the hardware was provided by our banking security partner Alfa-Bank. Especially for the competition, we set up ATMs and laid vulnerabilities in them. For 15 minutes, it was necessary to bypass the means of protection and extract money from the device. The prize fund was 40 000 ₽. About 40 participants came to try to bypass the defense. Leonid Krolle, the organizer of the competition and a specialist in the banking systems security research department at Positive Technologies, told how it was and analyzed the tasks in detail.
Leave ATM Alone ContestThe participants had two ATMs. On one of them, the software installation control from our partners is installed, which prevents the launch of untrusted applications. It does not allow to launch any application that is required for cash withdrawal (hello, Cutlet Maker, BubbleMaker and nemagiya!).
The second ATM is connected via the network to the test processing, which allows carrying out a cash withdrawal operation (which is in the ATM). However, the processing sends a signal to issue from the cassette in which there is no money. Therefore, the task of the participants is to substitute the response of the processing to issue money from the correct cassette.
Cables connecting from the ATM and test processing are outside, with the ability to connect to them using a network cord (LAN).
All the money withdrawn from the system players took themselves.
ATMs for two days of the forum: they were sad and lonelyApplication control
There are several ways to check the compliance of an application with a specified white list - from checking the path to the executable file or its hash to analyzing the digital signature and extension. Application control tools are most often used for additional protection of client computers (they prohibit the launch of non-whitelist software) and ensure the security of isolated systems, such as ATMs, which do not imply continuous operational intervention.
If the black list of extensions that should be blocked is more or less universal and easy to configure, then the white list of what is allowed to run is by default redundant - it often includes all applications from the operating system at the time of configuration.
Over the past few years, many methods have been described to bypass the application control using Microsoft Windows tools (for example, “rundll32”, “regsvr32”), a simple blocking of which disrupts the normal operation of the OS. Therefore, the fine tuning of the application control is a complex and painstaking work, the result of which was given to the participants of the competition for tearing to pieces. Note that in the real world, attackers do not have so much time to bypass application control.
First day of competition
The truth of life :)The beginning of the first day of the competition was marked by a dense stream of forum participants who came to try their hand at bypassing the application control and changing the processing response, more than 40 people altogether.
First participantsA total of 15 minutes was allotted for the protection round on the ATM with the application control: during this time it was necessary to have time to run your code. Unfortunately, on the first day, all attempts by participants to launch their exploit failed. However, one participant managed to detect a strange device installed on an ATM. It was a skimmer - a miniature reading portable device that can be attached to an ATM. Such devices help fraudsters to steal data of bank cards: details, PIN-code - all information recorded on the magnetic strip.
SkimmerAfter the discovery of the skimmer, it was necessary to extract the card data from it: during the preparation of the competition, the organizers recorded a dump of a nonexistent card with a certain number.
Let's tell a little about the preparation of a skimmer for the competition.The skimmer consists of a magnetic head for reading and a device for recording an audio track (it happens with Wi-Fi or Bluetooth). This copy can be made on the basis of the Explay player-recorder or a similar USB voice recorder. Examples
here . In size, they just fit into the pad on the anti-Yekaterinburg and there is still room for the battery, since it was necessary to prepare and revitalize the mini Frankenstein: a performance test was performed on a similar device from a different ATM model. To save space, the USB port attachment pad is cut off, so the necessary adapter had to be made independently.
Make an adapterWe tested the correctness of switching on the skimmer player according to the instructions from the player from the Internet (there were no symbols on the buttons, as they remained on the case) and recorded the card and number that participants needed to remove from the skimmer.
Something like this is a map with magnetic powder applied to it.
The information on the magnetic stripe of the card is written using F / 2F-frequency coding (with what it is eaten and how it can be decoded - read
here ) and represents alphanumeric characters in 7-bit encoding or digital characters in 5-bit encoding. To determine read errors, parity and longitudinal redundancy checks (or longitudinal standby checks - LRC) are used.
Data on any track must begin with the start service character and end with the end service character. These characters are chosen in such a way that they allow determining the beginning of a block of useful information, determining the direction of reading a card, and even the encoding format of information (5 bits or 7 bits).
Control characters are intended to control the hardware and cannot be used to transfer information (data content). Separators are used to separate data fields on the map.
In the 7-bit encoding, the symbols [\] are reserved for additional national characters and should not be used in the framework of international information exchange, the symbol # is reserved for arbitrary additional graphic characters.
Here is an example of what this might look like:
- ISO 2 standard track:
; XXXXXXXXXXXXXXXXX = YYYYYYYYYYYYYYYYY? Z - 37 characters
X ... X is the card number, Z is LRC (the data starts with the symbol start and ends with the character end, the card number is 16-digit, LRC is present)
Moment testing and dump recordsIn fact, you can copy the data from the player as an MP3 file, find where the track is recorded, enlarge it in the audio editor and parse it bit by bit, but there are easier ways.
For example:
- SWipe is an application for reading magnetic stripe cards over an audio port.
- Magnetic Stripe Decoder. There is a magnetic stripe card through which you can receive from the sound card.
They allow you to convert audio track data to ASCII (decrypted data) with more or less accuracy.
About an hour later, the map data recorded in the skimmer was provided. Honored prize "Spectator sympathy" found its owner. Congratulations to Maxim Vikhlyantsev!
The remaining participants continued to fight for the main prizes, loaded into ATMs :) Someone tried to hack protection, but there were also those who were tired and lost hope of quick enrichment. Nevertheless, the first day was stormy, although the main jackpot remained with the organizers ...
Second day
Remained the most persistentOn the second day of the competition, the same participants could be observed on the ground for hacking an ATM. Perseverance and perseverance in trying to find a vector for circumventing the protection did not remain in vain, and now - Stanislav Povolotsky safely bypassed the protection and, having executed the unsigned code, won the cash prize located in the first ATM.
Demonstration of a successful taskThe essence of the network attack on the second ATM was as follows: the ATM contained a laptop with installed software that emulates the processing work.
Processing emulatorThe emulator was configured to issue money with any inserted card, without a pin code, but the cassette whose command the emulator sent in response to the request was empty. To solve this problem it was necessary:
- intercept the packet response of the processing emulator;
- disassemble the package and create your own - only with the correctly set number of the cassette;
- insert a card and, at the time of sending the request for processing, reply to the ATM with the changed data;
- Using tcpdump, wireshark, scapy or ettercap tools, perform a replay attack or spoofing attack with modified data in order to respond to an ATM.
tcpdump — a UNIX utility that has a clone for Windows and allows you to intercept and analyze network traffic passing through the computer on which this program is running.
wireshark is a similar utility, only more “charged”, having a GUI.
scapy is an interactive shell and software library for manipulating network packages in the Python programming language.
ettercap is a utility for analyzing network traffic passing through a computer interface, but with additional functionality. The program allows you to perform man-in-the-middle attacks in order to force another computer to transfer packets not to the router, but to the attacker.
Actually, nothing changesWith such a difficult approach, participants had difficulties, but they overcame them as well. The prize for a fake response from processing at the second ATM was received by the team Information and Public, the Security Center and Uzbekistan. With what we congratulate them! The complete list of winners is on
the contest page .